Security and Business Leaders: A Communications Gap
When I find myself talking to a group of security professionals, eventually the topic will turn to whatever security breach was in the news that morning, and how easily it could happen to us. From there we might discuss how people outside the security profession do not see these obvious risks in the same way we do. Then we will ask each other how we can convince our executives to give us the proper resources to protect our organizations from the threats that we see so clearly every day.
We also ask ourselves:
How can they expect me to protect the company if they cut my budget?
Why don’t they think about security before the incident happens?
How do I get “a seat at the table?”
Why does procurement have more say about my program than I do?
Why won’t they do what I know they need to do to protect the (insert important thing here)?
These questions, although natural to people who are driven to protect and defend what we are responsible for, are, in fact, not the questions that are going to get our security programs where they need to be. Why not? Because we are not speaking the language that our audiences understand.
Bridging The Gap: Whose Job Is It?
Even a decade ago, security teams operated under the thinking that it was the business’s responsibility to understand the importance of security and, therefore, recognize the need to invest. But in the world of business, that’s simply not the case.
Taking a risk based approach and using anEnterprise Security Risk Management (ESRM) model is the underlying thought and life-cycle of many security programs now. More security leaders are adopting the approach every year as they see the change it can bring to the effectiveness of their programs. In the article: What is Enterprise Security Risk Management (ESRM) and How Can Your Organization Benefit From Taking This Approach To Security? (link), one of the key ideas underpinning ESRM is Partnership with the business, and we need to remember that partnering aspect when we are communicating with our internal “customers” — the business leaders.
Business leaders have operations to run and missions to fulfill, and as security leaders we need to understand that it’s up to us to bridge the gap between the security way of thinking and the business way of thinking. Just as we would learn the language if we set up a security shop in a foreign country, we need to ensure that we are speaking the language that business executives understand. This is critically important when we are discussing the needs we have for the enterprise security program. It’s not a large gap to bridge, but you have to recognize that gap if you intend to cross it.
Building the Bridge: A How-To Guide
There are a few relatively simple things to keep in mind as you begin the process of bridging the communications gap that exists in many organizations between the security team and business leaders.
Engage as a partner to understand what the business needs
You cannot build a bridge if you do not know what is on the other side of it. The most critical piece of the equation when engaging business executives in a discussion about the importance of security is understanding how they look at the world and what is most critical to them. In most cases, the easiest way to find out what is important to people is to sit down and have a conversation.
As simple questions, such as:
- What are you responsible for?
- What does your group do?
- What are the critical needs for your group that if something happened to them you would not be able to do your work?
- Is there anything you are particularly worried about?
Answers to these questions can all go a long way to building your understanding of what the business cares most about protecting, allowing you to focus your efforts. They will help transition from being the department that tells the business what they can and cannot do, to being the team-mate to help them protect what they care about. Open conversations go a long way to building trust.\ A critical point to communicate is that you are there to help the business complete its mission. You are not going to stand in the way of getting work done. Once you understand what is important to the business, you can begin to discuss security risks affecting those areas and what impact there could be if those risks were to materialize.
Treat security risk the same as any other business risk
Framing your discussion of the security issues you see in a risk-based approach will help build your relationship on a common platform. Business leaders are used to having critical discussions about risk. They deal with risk every day in all areas of the business. Financial risk, operational risk, resource risk and regulatory risk are topics that your executives think about every day. If you are going to talk to them about security, frame your discussion in the language they understand — risk.
The risk-based conversation looks a little different than the old-style security conversation. In a risk-based approach:
Security conversations are based on:
- Quantified risk measures
- Identified risk tolerance thresholds
- Resource owner agreement
- Measurable evidence
Security decisions are NOT based on:
- A “gut feel”
- “What everyone else does”
- “Fear, uncertainty and doubt”
- A “best practice”
- Anecdotal evidence
In a risk-based conversation, you and your business partner have a chance to clearly understand the role of the security department in helping the business continue to carry out its mission, ensuring that critical resources are continually available. You will have the chance to understand the acceptable level of security risk tolerance for business resources because you have asked what is important to them and ranked their importance. And you will both have the capacity to make quality, educated decisions on security risks to resources. These decisions will put an agreeable level of protection in place for those critical resources. Even better, having made those decisions together, your business partner will now have a stake in the results of the plan because they had a say in crafting it.
Measure and Report Your Results
However, it is not enough to simply have a risk-based conversation. Once you are engaged in a risk-management approach, you must continue to engage in the business process as any other business function would. That requires ongoing reporting of the effectiveness of your program in quantifiable ways. Identify metrics that show trends in risk, not only tasks completed or hours of work accomplished. You must tie meaningful data to your security activities if you want to measure the impact of a mitigation on a security risk.
A few examples of risk-management metrics:
- A reduction in the number of vehicle breaks-ins in a parking lot after an increase in patrols
- An increase in reported security concerns following a campaign of security awareness for employees
- An increase in the number of visitors to a facility processed per hour when implementing a visitor management system
- A decrease in the time to deploy credentials to new employees in response to a streamlined procedure.
None of these metrics discuss the hours worked. They show that an impact resulted from a response to a mitigating activity. More importantly, if the trend is outside the business tolerance, or the desired impact is not seen, you have clear metrics to discuss with your executives a change in the original plan. And this is based in fact, not simply experience or opinion.
These few simple changes in how you approach and discuss security with your executives will go a long way in furthering the goals you have for your security program and your business partner’s goals for the business. Your business partner will have a better understanding of how to function in an environment of daily security risk, knowing that risk mitigation plans are in place to protect their critical resources.